Cyber Security Certifications : Missing in MakeInIndia

History, Personal Experience and Memories

I have been in the information security profession since 2004/2005 (now more popularly known as Cyber Security). That was when I went for my first training for BS7799 from STQC – and I was tagged “Certified Information Security Professional”. Unfortunately in the miniscule job market for information security at that time, no one respected this certification. I learned that I have to look at more “respectable” certifications so I spent a few hundred dollars and sat for, and passed, the Certified Information Systems Auditor (CISA) exam through ISACA. Now I was certified and was soon employed as the CISA certification had a global footprint, and was recognized and respected. There were just about 25,000 certified folks worldwide, and I felt good being part of an elite segment. The certifying body ISACA was coming of age and the fledgling chapters in India were finding their feet too, raising awareness and doing a lot of community building. It was a flagship day when ISACA Mumbai announced the recognition of CISA certified auditors by Reserve Bank of India (RBI). A few years later the ICAI launched the DISA certification, albeit restricted only for their Chartered Accountant (CA) members. A poor man’s certification (not costing hundreds of dollars) the certification was (obviously) easily recognized by all regulators which was unlike the struggle and lobbying for CISA. In these early days other “popular” and “respected” certification available were CISSP, CISM, CEH, BCP and a few BS7799 Auditor / Lead Auditor programs run by STQC, BSI, TUV. Of course there were a few institutes too, offering training and their own certifications. The training entrepreneurs had yet to realize the security tsunami.

India the non-starter

Over these long years the Indian infosec potential employee and employer have embraced CISA, CISSP, CISM, CEH as essential certifications to demonstrate their knowledge and professional capability. The number of certified professional has swelled and each person spends an average ₹ 25,000 to ₹35,000 for the exam (books are another story as we think piracy to contain costs). Unfortunately there has been absolutely no development on this professional certification front at all in the country.

Data Security Council of India (DSCI) a NASSCOM offshoot, came up with a Privacy certification CIPP some years back. Launched with great fanfare it remains undersold and the subject of many a spam messages whenever there is a batch announced. Sadly (inspite of their resources, influence and clout at hand) I would not call it a “mainstream” success which is not surprising too. With GDPR being the flavor of the current season, possibly they would have updated the program to make it current.

Then there is NEILIT and a few other home grown certifications. Nothing mainstream which one can see as “desired” or “demanded” by hiring managers in India or anywhere abroad. Along this time, SANS and GIAC Certifications have gained a high level of traction. These are more expensive and there were few takers, but the quality of the programs and the high level of acceptance is showing a swiftly growing market for them. ISACA also launched their CGEIT, CRISC and other new certification. The CISSP certification now has an Associate CISSP program as well and a Forensics certification (CCFP).

You should not be surprised to know that the CCFP program design team had someone from India helping in the creation – my friend Venkatesh Murthy from Bangalore!

All these and more, certifications and trainings, launched and successfully operating globally, and many Indians at the forefront of delivery but not on Indian certifications of repute or renown.

Indian Success Stories

An Indian success story in this period of time is securitytube.com However this is an online training outfit, albeit with a global audience that has recognized their quality. They have a good repertoire of programs covering wireless security, linux etc. Other global (home grown Indian) successes that I can recall are Payatu (the people behind the nullcon conference, the biggest security conference) providing training in niche specializations like Hardware Security, IoT; Aditya Gupta for Android Security; then there is the Institute of Information Security owned by K K Mookhey in Mumbai and my friend Jaisal in Kozhikode (Kerala) running home grown programs and home grown certifications.

Are these brand names mainstream in HR circles in India.. do any of the HR advertisements call for professionals with these specific trainings or certifications…. The jury is out on this and I would love to get feedback. It will be nice to get some more names of Indian companies with good and respected trainings and certifications.

Making a Case for Indian Certification

There is no reason for not having a strong domestic brand in certification. The organizations that could have picked up the gauntlet and run, did not do this, for whatever reason. Here I am talking of organizations like STQC, DSCI, NASSCOM, CDAC, IIT, IIIT, IIM or even the private players (both early ones and late comers) like Security Tube, Payatu, Appin, MIEL, IIS, etc. The demand for security certification is growing and will continue to grow for a long time. The volume will be proportional to the exponential growth in the demand for Cyber Security professionals to handle industry and government needs. The Indian professional is a cost conscious buyer, culturally, and buys his / her certifications at high cost because there is no local alternative. Once into the profession he/seems the luxury of “stronger” and “tougher” certifications which may cost higher. At all times, while saving for the certification, preparing and practicing the candidate will be seeking to cut costs searching for pirated copies of study materials. These are ground realities and point to one fact – A credible professional certification is needed in the domestic market. A Made in India certifications benchmark will also serve the defense and government establishments as they will be able to weed out dubious skill claims by professionals.

Another ground reality is the present size and foreign exchange spend so I shall take time out to do a little bit of maths on this (Disclaimer: the numbers indicated are from various sources and are assumptions. These are not official numbers, but as and when I get any official figures I shall update) :

– Assuming number of CEH and other EC-Council certified every year = 2000 @ $ 200 each avg cost

TOTALS

With above numbers the spend is about $ 1.4 million per year.

TOTAL NUMBER OF INFOSEC PROFESSIONALS (ALL INDIA) CERTIFIED WITH THESE BODIES::

ISACA – about 7,000

ISC2 – ABOUT 1,700

EC COUNCIL – 10,000:

Other foreign certifications popular / visible in the Indian community are OSCP, SANS, GIAC, CBCP, CIA, CFE.

It is not easy for any Indian professional to pay an average ₹ 18000 for the exam, then about ₹ 5,000 to ₹ 10,000 for the study materials. So it is fair to say that there is a huge market for certifications provided they are good quality, offered and supported by credible and trustworthy entities.

A number of universities offer cyber security courses at graduate, masters and doctoral level, or certificate / diploma programs, but not a single institution (academic or government) has made any effort to work on creating a national brand. Not a single institution is “recognized” for excellence in cyber security, at a national level. In contrast one sees foreign universities and short term programs being touted as the “best” global programs.

And this sorry state exists while hundreds of talented individuals across the country delivering short training programs to LEA, students, citizens, etc

India Awakening (?) to the Opportunity

The silver lining to this situation is that some government agencies, universities and NGOs have joined hands to launch a series of professional certifications. The exam format, coverage, competitiveness, quality and test bench will be comparable to global levels. The certifications will be endorsed / supported by both, govt and non-govt, Indian organizations. With strong support it is hoped that the tests will become the industry benchmark to certify the skills of an individual. The best feature is the neutrality of the exam as a number of different entities will be involved as partners (including crowd sourced IS professionals) – to design the curriculum, the content, exam questions and more.

It is time for local entrepreneurship to move ahead to get a share of the market as well as work with government to provide a domestic system for skill benchmarking as may be needed for security related positions.

Time and again the government and non-government bodies keep issuing statements about the shortage of information / cyber security professionals in the country – from 1 lac (100,000) to 1 million to 1.8 million. It is anyone’s guess as to how this capacity will be built, or trained. One thing is certain, fresher or not, everyone needs training that has to certify the person’s skill and that this should be recognized by employers, so that life is easy for the professional. And that even if we consider that the potential need is 0.5 million – this makes the market valued at $ 100 million considering a cost of $ 200 per certification with training.

No one seems to have done any thinking, in any department of government or academia or industry because everyone is merrily milking the cybersecurity cow, making money selling FUD with a lot of snake oil. As such, we find hundreds of trainings and training institutes with dubious offerings. Or, we have institutes providing “easy” and “guaranteed pass” for these international certifications. I remember sometime back Hyderabad was on an informal blacklist by some western governments for such “guarantee” oriented education and trainings in IT and other professional courses.

There is the need and market for a credible certification program, backed by government or some respectable institutions and individuals. A home grown certification program, of Indian origin, and priced for the Indian market will fly with foreign nationals too in the SE Asia and African subcontinent. I am not too sure about the Middle East, as they have good purchasing power and a dominating western influence.

I do hope the head of some institution is reading this and will take some positive steps. This will considerably boost the Indian skills ecosystem as it will bring professional certification within the means of the average Indian who aspires to building a career in Information Security.

Cyber Security practitioner and evangelist working in cyber security in national and enterprise application. Contributor to national policy, awareness and development of capacity / capability. Keeps a critical eye on the past, present and future in the infosec domain, and firm believer in common sense. Uses practical thinking to demolish purveyors of cyber hype and snake-oil.